Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to force data to freeze?

tsheets13
Communicator
‎09-13-2019 12:34 PM

We, up to now, have never frozen data. However, we have a requirement now to freeze some data for years.

I need to show in a development environment how this works.

I have created a new index. Defined coldToFrozenDir and set frozenTimePeriodInSecs to 600 (10 mins).

I have created input for a text file and filled it with about 100k lines of data.

The data is being successfully indexed

The directory was created, but there is no frozen data.

I suspect it's because the data is still hot.

Is there a way to force data through the bucket cycle so I can see it show up frozen?

0 Karma
Reply

adonio
Ultra Champion
‎09-14-2019 12:07 PM

tried your settings on my laptop, and wrote a scheduled search that runs every 5 minutes and does that:
index = _internal | head 1000 | collect index=timtest"

try and run this search to see if its working:
index=_internal sourcetype=splunkd component=BucketMover freeze

works fine on my end
see screenshots:
alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

maciep
Champion
‎09-14-2019 06:00 AM

did you try restarting splunk? i think restarting splunk will force the bucket to roll from hot? So you could at least test that theory and/or verify if the bucket rolls to warm/cold...

0 Karma
Reply

tsheets13
Communicator
‎09-16-2019 05:28 AM

That's all it took. Restart did the trick. Interesting that the first restart created the frozendb path, but it required a second for the data to actually start freezing.

0 Karma
Reply

maciep
Champion
‎09-16-2019 06:02 AM

i wonder if the bucket rolls when splunk is stopping and your setting took effect as splunk was starting. So that bucket had rolled off before it knew about the directory?

0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 08:59 AM

@tsheets13
If you found a solution, kindly mark the question as answered so other will know what worked for you, also up-vote any helpful comments

0 Karma
Reply

adonio
Ultra Champion
‎09-13-2019 07:15 PM

please share your indexes.conf. according to your description, it supposed to work fine. data will freeze regardless bucket status of time or size thresholds are met

0 Karma
Reply

tsheets13
Communicator
‎09-14-2019 05:13 AM

[timtest]
coldPath = $SPLUNK_DB/timtest/colddb
homePath = $SPLUNK_DB/timtest/db
maxHotSpanSecs=900
coldToFrozenDir=$SPLUNK_DB/timtest/deeperpath/frozendb
frozenTimePeriodInSecs=600
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/timtest/thaweddb

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...